Chapter 7 - 02 - Discuss Security Benefits of Network Segmentation - 01_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Module Flow Discuss Essential Network Security Protocols 000 Discuss Security Benefits of Network Segmentation Understand Different Types of Proxy Servers and their Benefits o "\\' a@l Discuss Fundamentals...

Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Module Flow Discuss Essential Network Security Protocols 000 Discuss Security Benefits of Network Segmentation Understand Different Types of Proxy Servers and their Benefits o "\\' a@l Discuss Fundamentals of VPN and its importance in Network Security Understand Diffexent Types of Firewalls and their Role Discuss Other Network Security Controls Understand Different Types of IDS/IPS and their Role Discuss Importance of Load Balancing in Network Security Understand Different Types of Honeypots Understand Various Antivirus/Anti-malware Software Copyright © by EC- L All Rights Reserved. Reproduction is Strictly Prohibited Discuss Security Benefits of Network Segmentation Network segmentation enhances the network security by creating layers of the network and separating the servers containing sensitive information from the rest of the servers. The objective of this section is to explain the role of network segmentation in network security. Module 07 Page 730 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls - Technical Controls Exam 212-82 What is Network Segmentation? O Proxy Network segmentation is the practice of splitting a network into smaller network segments and separating groups of systems or applications from Email Server each other O In a segmented network, groups of systems or applications that have no interaction with each other w will be placed in different network segment O - Web server Server | \ DMZ1 ZONE m&zn [=] = an Security benefits of Network Segmentation v Improved Security E. v Better Access Control E. Internal v Improved Monitoring v Servers 2::[2 ‘ Improved Performance | oj|o v Better Containment | & Applicalien Servers EE ! Datehase Servers o What is Network Segmentation? Network segmentation is the practice of splitting a network into smaller network segments, separating groups of systems or applications from each other. Whether it is a physical or virtual network segmentation, both can restrict communication throughout a network and also restrict network attacks. In a segmented network, groups of systems or applications that have no interaction with each other are placed on different network segments. Even if an attacker/an insider manages to penetrate the perimeter security, they cannot access the network resources from one segment to another. Network segmentation overcomes the drawback of a traditional flat network where all the network resources (servers, workstations, etc.) are placed on the same network. If an attacker manages to penetrate through the perimeter defense, they can see and have an easy access to a flat network, since most detective tools focus on what is going outside a network. Though it is easy to manage a flat network infrastructure, it is always open to various attacks. Security benefits of network segmentation: * |Improved security: It isolates network traffic to prevent access between network segments. = Better access control: It allows accessing specific network resources. * Improved monitoring: It provides event logging, connections, and detecting malicious actions. = Improved performance: It reduces monitoring, local traffic, with fewer and hosts denying internal per subnet, and isolates broadcast traffic to the local subnet. = Better containment: It limits any network issues that might occur to the local subnet. Module 07 Page 731 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Working Principle of Network Segmentation Proxy Server Email Server Web Server INTERNAL ZONE DMZ1 ZONE User giFEm Workstations E AR == L z Internet) ~F-} DMZ2 ZONE Internal Servers Application Servers Database Servers Figure 7.28: Working principle of network segmentation In the above diagram, network segmentation is used for separating servers in which one firewall, two DMZ zones (demilitarized zones and an isolated layer3 subnet), and an internal zone are used. Web servers and email servers are separated from the servers that do not require direct internet access, since both servers need to be internet-facing and they are vulnerable to attacks. Even if one of the internet-facing servers is compromised, the separation of both servers can reduce the damage. Bidirectional traffic is allowed the active directory, whereas The proxy, email, and web database servers of DMZ2 for from the internal zone and DMZ2 for backups/authentication via one-way traffic is only allowed from the internal zone to DMZ1. servers of the DMZ1 are separated from the application and enhanced security. The firewall allows internet traffic to DMZ1 via certain ports (80, 25, 443, etc.) and closes all the other ports (transmission control protocol (TCP)/user datagram does not permit internet traffic to DMZ2. If user workstations on the internal zone require internet protocol (UDP)), whereas access, the access it gets directed through an HTTP proxy server in DMZ1 since the internal zone is isolated from the internet traffic. Even if a server in DMZ1 is compromised, the internal zone will remain secured since the traffic from the internal zone to DMZ1 is permitted only in one way. The segmentation in the above diagram represents a firewall security zone segmentation that can optimize the network security. For added security, a cloud-based web filtering solution (e.g., WebTitan, TitanHQ, SolarWinds MSP, etc.) can be used which can allow filtering of the website requests and prevent end-users from accessing malicious websites. Module 07 Page 732 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Types of Network Segmentation ? ° Physical segmentation is a process of splitting a larger network into smaller physical FRYSARE Saguesnteten components g Shared g : ° These segments can communicate via intermediary devices such as switches, hubs, § ’ or routers ° expensive as it occupies more space E HEEEH - B E HHHH Device 1 A Device 2 Device 3. 1 o _l; ; thub.......... !.......... ! ! C).i. HHH HHHH R Device 1 Device 2 Device 3 : Segment 1 : Shared hub : Physical network segmentation can be an easy approach to divide a network, but it is = Router :.. Segment 3 hub Q — ! T Services Device 1 Copyright © by EC-{ !........... ! it win Device 2 L All Rights Reserved. Device 3 Reproduction s Strictly Prohibited Types of Network Segmentation (Cont’d) Q H QO Logical segmentation utilizes VLANs, which are isolated logically without considering the physical locations of devices Logical Segmentation _ : ' VIAN Switch 1 Q Each VLAN is considered an independent logical unit, and the devices within a VLAN communicate i as though they are in their own isolated network Q In this approach, firewalls are shared, and switches handle the VLAN infrastructure i to implement and flexible i Q Itisi easier to operate | Router. Xiasid ‘ e} et. 2 ((l,)___.:_"—......... -_]........... ! o= P el 5: CO: e T [/ S... A| ! Services Device 3 Copyright © by Module 07 Page 733 _— ‘ @ :. ‘ EC-{ ! el el !.- ! Device 3 Device 3 L All Rights Reserved. Reproduction is Strictly Prohibited Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser